diff --git a/pkg/daemon/gateway_linux.go b/pkg/daemon/gateway_linux.go index 45dc72a4ba72..6c05e5d75dec 100644 --- a/pkg/daemon/gateway_linux.go +++ b/pkg/daemon/gateway_linux.go @@ -517,6 +517,8 @@ func (c *Controller) setIptables() error { v4Rules = []util.IPTableRule{ // mark packets from pod to service {Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(`-i ovn0 -m set --match-set ovn40subnets src -m set --match-set ovn40services dst -j MARK --set-xmark 0x4000/0x4000`)}, + // refuse access to service ip when kube-proxy works in ipvs mode + {Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(`-m set --match-set ovn40services dst -j REJECT`)}, // nat packets marked by kube-proxy or kube-ovn {Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(`-m mark --mark 0x4000/0x4000 -j ` + OvnMasquerade)}, // nat service traffic @@ -555,6 +557,8 @@ func (c *Controller) setIptables() error { v6Rules = []util.IPTableRule{ // mark packets from pod to service {Table: NAT, Chain: OvnPrerouting, Rule: strings.Fields(`-i ovn0 -m set --match-set ovn60subnets src -m set --match-set ovn60services dst -j MARK --set-xmark 0x4000/0x4000`)}, + // refuse access to service ip when kube-proxy works in ipvs mode + {Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(`-m set --match-set ovn60services dst -j REJECT`)}, // nat packets marked by kube-proxy or kube-ovn {Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(`-m mark --mark 0x4000/0x4000 -j ` + OvnMasquerade)}, // nat service traffic @@ -624,9 +628,9 @@ func (c *Controller) setIptables() error { } rules := make([]util.IPTableRule, len(iptablesRules)+1) - copy(rules, iptablesRules[:1]) - copy(rules[2:], iptablesRules[1:]) - rules[1] = util.IPTableRule{ + copy(rules, iptablesRules[:2]) + copy(rules[3:], iptablesRules[2:]) + rules[2] = util.IPTableRule{ Table: NAT, Chain: OvnPostrouting, Rule: strings.Fields(fmt.Sprintf(`-m set --match-set %s src -m set --match-set %s dst -m mark --mark 0x4000/0x4000 -j SNAT --to-source %s`, svcMatchset, matchset, nodeIP)),